sudosecure.net

Ecatel's (AS29073) BGP Issues

While I was adding some Google Charts to my SpamBot Comment tracker I noticed that SpamBots originating from the ISP and Hosting company Ecatel Network were my number one comment spam offender.  Like any other security researcher I initially performed a Google search and landed on this blog post "Atrivo, McColo and now Ecatel" by Rune at "Silent noise - about spam, trojans and other nasty stuff" which sparked my interest and lead me to diving deeper into this network.

It appears that several of Ecatel's Network BGP peers decided to drop peering with them to include Hurricane Electric Internet Service AS6939, which from my research appeared to be their main peering point to the Internet.  The initial drop in peering caused a complete outage for Ecatel's network, but this was short lived as they were able to obtain peering from Joint Transit.  Joint Transit appears to be their new main peering location to the Internet.  Several customers posted complainants concerning the outages on the public forum WebHosting Talk, which was also documented in Rune's blog post.  I should also note that Ecatel still has not fully recovered and can not be reached from a few locations in the US according to this Host-Tracker report I ran while writing this blog post.  I can not reach Ecatel's network right now through my ISP, which isn't a bad thing.

In trying to identify what exactly occurred when the peering locations decided to stop peering with Ecatel I ran across an extremely useful tool that I had not played with before called "BGPlay" at Route Views.  Using this new toy I was able to graphically play the BGP peering route advertisements and withdrawals for the last week for any of the network subnets living on the AS29073 Ecatel Network.  Here is Ecatel's Network before AS6939 (Hurricane) stopped peering directly with them.

As you can clearly see Ecatel's network (AS29073) was communicating out to the Internet via the peer Hurricane (AS6939) for the large percentage of it's traffic.  Once Hurricane (AS6939) stopped peering directly with them Ecatel scrambled to find a new main peering location which took several hours to do, but eventually they were able to pull it off.  Here is how Ecatel is peering right now:

As you can see from the image above Ecatel's peering into the Internet is very different, but it did recover.  I am also sure Ecatel's customers are seeing a difference in response times and through-put, as Hurricane Electric (AS6939) is ranked #46 by NetConfigs AS Rankings and  Joint Transit (AS24785) is ranked #890.

Now that Ecatel has had it's hand slapped for harboring this collection of general badness I can only hope that they have learned their lesson and will start to clean up their network.  It is hand slaps like this that should really start getting ISPs and hosting companies attention, as a serious loss of revenue could occur if these types of actions continue to be taken.  I can only hope that the actions such as ICANN riding us of EST Domains, and the McColo and Atrivo network demise will become the norm.  These types of actions can really start to get the ball rolling in trying to clean up the Internet.  The networks that harbor this type badness really need to evaluate the costs associated with dealing with these types of customers, and the costs associated with losing Internet connectivity from actions taken against them like this.  I am sure the bad guys always pay their bills on time, but if they can't route to the Internet I am also equally sure they will be in the same line as the good guys asking for a full refund for the services you can no longer provide.  I would also venture to say it would be more cost effective to lose a few bad customers than it would be to take a network outage with the associated bad reputation I am sure you will be labeled with.

SpamBot activities from AS29073 seen at sudosecure.net

Seventeen unique IP addresses originating from this network attempted to post 1965 spam messages since I started tracking spam with my comment spam tracker.  These IPs have been around for a while as you can see from the following table:

Note: Longevity is the number of days between the first seen date and the last seen date and not a true depiction of how long these IPs have been doing this.

Ecatel Network's Autonomous system (AS) number is AS29073.  This AS number made up ~68% off all comment spam attempts being conducted against this blog.  Obviously the people running the actual SpamBots are not scared of being loud or standing out in a crowd.  Take a look at AS29073 vs All other AS SpamBot networks in my comment spam tracker database.

The comment spam messages being spewed out by these SpamBots varied, but I did find some interesting trends.  Seven of these IPs were either posting blank messages or garbage messages consisting of seemingly bogus domain names made of of seemingly random text strings.  Here is an example posting from my database:

Here are the 7 IPs posting these types of messages:

• 200.63.42.136
• 94.102.60.151
• 94.102.60.152
• 94.102.60.153
• 94.102.60.182
• 94.102.60.43
• 94.102.60.77

I am not exactly sure why these SpamBots would be posting such random messages, but I do have a few theories.  My guess is that these few IPs are probing SpamBots that crawl the Internet looking for Blogs, Forums, or any other website that has comment posting capabilities.  Once these probing SpamBots receive a good server response demonstrating that they are capable of posting spam to a website they most likely log the website.  These logs are then used to feed URLs to SpamBots that carry the real spam messages and badness associated with them.  Let me explain why I think this is a technique used by these spammers.  Most websites will block IPs or subscribe to SpamBot tracking databases to create these filters.  If a the SpamBot operator sends out these very loud and aggressive probing SpamBots to do the dirty work it will be these IPs that get added to the ACLs.  This will then allow the real SpamBot to operate in a more effective manner only spamming the websites that have been identified as being susceptible to spam postings.  This technique aids in keeping the real SpamBot from being placed in ACLs and Blacklists.  This also allows the SpamBot operators to accurately predict how many spam messages can be posted at any given time by their SpamBots and also aids in advertising these capabilities to the organizations that buy SpamBot time.  SpamBot operators are businessmen too, so they try to get the most out of their efforts.  Again this is just my theory and I have no real evidence that this is the actual technique being utilized here.

The next set of 3 IPs spammed pharmaceutical type messages leading to wordpress 2.5.1 templates containing pharmaceutical messages and information spam as well.  Here is a sample from one of the spam messages:

Here is a list of the 3 IPs posting similar messages:

• 200.63.42.141
• 94.102.49.14
• 94.102.60.127

The wordpress templates house some obfusticated JavaScript used to redirect the user to another website.  There is some interesting code used to ensure visitors are not being lead to this site via search engine results.  Here is the interesting portion of the code:

Basically the author of this JavaScript is checking to see if any of the major search engines is in the referrer string or if the visitor does not have a referrer string set.  If either of these conditions are true the value of "gogo" will remain false and the visitor will be presented with the "404 page not found" page.  If these conditions are false the visitor is redirected in this case to abapharm.net with a few variables being passed in the URL.  The last three messages posted from these SpamBot IPs redirected to the following domain names:

• bestcasinogroup.com
• abapharm.net
• asiatradefinance.com

These domains seem to be rotated on a regular basis and lead to either pharmaceutical websites or pay per click search redirecting.  The pharmaceutical site I was redirected to during this research was "trustedtabletsworld.com".  Nothing real interesting there, but the pay per click search redirection sites proved to be a little more interesting.  All of the pay per click hijacking sites we redirecting through one IP:

• 64.111.196.117

A quick google search for this IP lead me to an outstanding article documenting this type of tunneling called "Double-Funnel" by a few Microsoft Security Researchers back in March of 2007.  I am not going to go into the details of how this "Double-Funnel" redirecting tunneling spam stuff works, as this article does a very good job of describing this technique and has some really interesting statistics that I would recommend reading: Spam Double-Funnel: Connecting Web Spammers with Advertisers.  That was the interesting part!

The last set of SpamBot IPs were posting porn spam messages which lead to more of this Double-Funnel pay per click search redirecting.  I noticed that this set of SpamBot IP addresses all started off with the initial JavaScript redirection pointing to "xxx.whatsdirect.cn", which then again redirected to the actual pay per click tunneling server/site.  These two SpamBot IPs (94.102.60.166, and 94.102.60.162) had errors in the initial spam message links pointing to "xxx.whatsdirect.com" instead of "xxx.whatsdirect.cn", so if your the paying spam customer utilizing this SpamBot provider to propagate your garbage over the Internet you may want to make sure you get a discount next time as this typo most likely caused you to lose some money.

Here is a chart to demonstrate how active the individual SpamBots are when compared to one another:

While researching the Ecatel Network (AS29073) originating SpamBots I ran across several forum posts, blog posts, and websites complaining about these IP address ranges.  I even found that several of the well know Spam Blacklists had some of these subnets completely blocked.  The Spamhaus project has some interesting listings for the Ecatel Network in which connections with Russian Malware, ROKSO Spammers, and even the recent Mac OS X Trojan DNSChanger are documented.  Here is the Spamhaus Report and Jose Nazzario's blog post at Arbor documenting the new Mac Trojan.  Here is a link to my SpamBot Comment spam Tracker sorting out the AS29073 network which will be automatically updated as Ecatel SpamBots continue to hit this blog.

As always if you have any questons or comments regarding my postings feel free to post a comment or contact me via email.